Thread Options
#982771 - 06/26/08 02:34 PM Red Flags - Dealers
Padric Offline
100 Club
Padric
Joined: Feb 2006
Posts: 204
Our bank dealer contracts hold the bank harmsless for violations of law by dealers. As long as we've done a risk assessment on the dealers that the bank does business with, can we consider the dealer issue addressed under the FACTA red flag rules? We never see these customers and have to rely on the dealer for ID, etc. as required by law.

Return to Top
#982873 - 06/26/08 03:40 PM Re: Red Flags - Dealers Padric
Dan Persfull Online
10K Club
Dan Persfull
Joined: Aug 2002
Posts: 46,423
Bloomington, IN
Dealers fall under the FTC provisions of these rules and they should have a IDTPP in place, yeah right!

However, from a seminar I attended and reading the requirements I believe they would be considered a service provider and you must ensure that the service provider has appropriate red flag procedure in place to detect, prevent or mitigate ID Theft.

Regardless what your contract says with the dealer, you, the FI or creditor, are the ones ultimately responsible under the law.


(This is just one more reason I am thankful we do not do indirect lending.)
_________________________
The opinions expressed are mine and they are not to be taken as legal advice.

Return to Top
#983037 - 06/26/08 05:23 PM Re: Red Flags - Dealers Padric
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
Below is a quote from the "Supplementary Information" section of the final ruling (specifically is a response to commenterís on the initial draft of the regulation):

This may help clarify the intent . . .

"The Agencies believe it is important to retain a provision in the final rules addressing service providers to remind financial institutions and creditors that they continue to remain responsible for compliance with the final rules, even if they outsource operations to a third party. However, the Agencies have simplified the service provider provision in the final rules and moved the remaining parts of proposed ßl.90(d)(4) to the guidelines. Section l.90(e)(4) of the final rules provides that a covered entity must exercise appropriate and effective oversight of service provider arrangements, without further elaboration. This provision provides maximum flexibility to financial institutions and creditors in managing their service provider arrangements, while making clear that a covered entity cannot escape its obligations to comply with the final rules and to include in its Program those guidelines that are appropriate by simply outsourcing an activity.

Section VI(c) of the guidelines provides that, whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts, the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Thus, the guidelines make clear that a service provider that provides services to multiple financial institutions and creditors may do so in accordance with its own program to prevent identity theft, as long as the program meets the requirements of the regulations. The guidelines also provide an example of how a covered entity may comply with this provision. The guidelines state that a financial institution or creditor could require the service provider, by contract, to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service providerís activities and either report the Red Flags to the financial institution or creditor or take appropriate steps to prevent or mitigate identity theft."

Taken from page 16 of the Identity Theft Red Flags Final Rule

--------------------------------

Russ Horn, CISA, CISSP
CoNetrix
Identity Theft Prevention Program online tool

Return to Top
#983939 - 06/27/08 03:42 PM Re: Red Flags - Dealers Russ Horn
Rosie O'Grady Offline
Gold Star
Rosie O'Grady
Joined: Nov 2005
Posts: 438
California
Has anyone communicated with their dealers yet and if so, what was said in that communication?

Return to Top
#985004 - 06/30/08 05:12 PM Re: Red Flags - Dealers Rosie O'Grady
Rosie O'Grady Offline
Gold Star
Rosie O'Grady
Joined: Nov 2005
Posts: 438
California
What types of steps are you taking to ensure "oversight" of 3rd party service providers?

Return to Top
#986581 - 07/02/08 02:01 PM Re: Red Flags - Dealers Rosie O'Grady
Still Smiling Offline
Platinum Poster
Joined: Nov 2007
Posts: 767
We have decided to send a letter to all current dealers informing them of their obligations under the regulation...CIP due dilligence mainly and offering a copy of the regulation. In addition all new contracts will contain language specifically for ID theft.
_________________________
Comments are strictly my own and not that of my employer.

Return to Top